A report from the Wall Street Journal suggests that Google has been bypassing the privacy settings of millions of Safari users by installing cookies that could track the browsing habits of people—even if they thought they had blocked them.

The WSJ explains how Google has developed code that installs cookies on a users' device—without their permission—from adverts contained in web pages. Once installed, however, those cookies have potentially allowed Google to track browsing across the majority of websites.

Research by the WSJ showed that the code was present in adverts on Fandango.com, Match.com, AOL.com, TMZ.com and UrbanDictionary.com, among others, and that it worked on both desktop and mobile versions of Safari.

"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."

However, since the WSJ informed Google that it was aware of the practice, Google has disabled the feature on their servers. An Apple representative has said that the company is "working to put a stop" to the privacy invasion.

The code in question stems from the development of Google+, being developed to skirt the way Safari blocked an original implementation of the "+1" button on third-party websites. Instead of directly using cookies, which Safari doesn't allow without user consent, the code made Safari think that a person was submitting an invisible form to Google. Sneaky. Then, Google had free reign to add cookies—and track a user's browsing—without the user ever knowing.

It's an old exploit, first dug up back in 2010 by Anant Garg. Which means that while Apple may well be working on a stop now, they certainly havent been in any rush these last two years. Which is a shame, and puts more than a little blame in its court for leaving gate unlocked.

In a privacy policy shift, Google announced today that it will begin tracking users universally…
Read more Read more

Update: Rachel Whetstone, Senior Vice President of Communications and Public Policy at Google has since said:

"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information.

"Unlike other major browsers, Apple's Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as "Like" buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content—such as the ability to "+1" things that interest them.

"To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user's Safari browser and Google's servers was anonymous—effectively creating a barrier between their personal information and the web content they browse.

"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."